Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk access to RHEL audit.log

ewok
Explorer
‎07-28-2025 08:27 PM

Running Splunk 9.3.5 on RHEL 8.  STIG hardened environment. 

The non-Splunk RHEL instances running a Universal Forwarder have no issue access the audit.log files, apparently by virtue of the statement

AmbientCapabilities=CAP_DAC_READ_SEARCH

located in the /etc/systemd/system/SplunkForwarder.service file.  However, the same is not true on the Splunk instance.  They require read access permissions via a file ACL or something.  Where these options all result in multiple STIG compliance findings.  Which each require write ups a vendor (Splunk) dependencies.  

Question - why?  Why can't Splunk access the audit.log files the same way as the UF?  Or is there some way to do the same sort of thing with AmbientCapabilities for Splunkd.Service?

It is tempting to quit collecting these logs with Splunk itself and install UF on the Splunk instances too.

Labels (4)
0 Karma
Reply

ewok
Explorer
‎07-30-2025 01:53 PM

Too follow up.  Using 

[Service]
   AmbientCapabilities=CAP_DAC_READ_SEARCH

This fails under the following conditions:

  • If you have an old `Splunkd.service` file, with a line using =!, like the following:
ExecStart=!/opt/splunk/bin/splunk _internal_launch_under_systemd

If so, you will need to recreate the Splunkd.service file.

  • If you utilize the "Data inputs --> Files & directories" monitor method for ingest the /var/log/audit/audit,log files this fails.

This works with a current Splunk version (mine is 9.3.5) created Splunkd.service file and using the Splunk_TA_nix script method of ingest using rlog.sh.

Kuddos to @livehybrid for causing me to review and realize I had an out of date Splunkd.service file

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-28-2025 11:19 PM

Hi @ewok 

The Splunk Enterprise systemd unit (splunkd.service) is not shipped with the same AmbientCapabilities=CAP_DAC_READ_SEARCH line that the Universal Forwarder package adds to its own unit (SplunkForwarder.service). 
That line gives the UF process the Linux capability to bypass discretionary access controls (DAC) and read files such as /var/log/audit/audit.log even when the file is mode 0600 and owned by root.
Enterprise installs simply omit that stanza, so splunkd runs with the default capability set and cannot open the audit log unless you relax the permissions or run Splunk as root (both STIG-failures).

You can alter this behaviour for Splunk Enterprise (Full install) by editing the splunkd.service file:

  1. Create the override directory (run as root):
    systemctl edit splunkd.service
  2. Add theAmbientCapabilities:
    [Service]
   AmbientCapabilities=CAP_DAC_READ_SEARCH
  3. Reload systemd and restart Splunk:
    systemctl daemon-reload
   systemctl restart splunkd.service

After the restart the running splunkd should have the same capability that the UF has and can read /var/log/audit/audit.log without touching file permissions or adding ACLs.

The override should not be overwritten with Splunk package upgrades, but always verify after an upgrade that its still in place.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PrewinThomas
Motivator
‎07-28-2025 09:15 PM

@ewok 

UF explicitly supports adding Linux capabilities via the AmbientCapabilities=CAP_DAC_READ_SEARCH setting. But full Splunk Enterprise instance does not utilize AmbientCapabilities, so it lacks these elevated per-file read permissions.

So your options to consider is,


-Use the Universal Forwarder on Splunk server hosts for audit log collection and keep Splunk Enterprise running as non-root.

-Run Splunkd as root (least preferred).

 

So my recommendation is If strict STIG compliance is essential, the best approach is to install the Universal Forwarder (UF) on your Splunk and use it solely for audit log collection.

#https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/universal-forwarder-manual/9.4...

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-28-2025 11:19 PM

Hi @ewok 

The Splunk Enterprise systemd unit (splunkd.service) is not shipped with the same AmbientCapabilities=CAP_DAC_READ_SEARCH line that the Universal Forwarder package adds to its own unit (SplunkForwarder.service).
That line gives the UF process the Linux capability to bypass discretionary access controls (DAC) and read files such as /var/log/audit/audit.log even when the file is mode 0600 and owned by root.
Enterprise installs simply omit that stanza, so splunkd runs with the default capability set and cannot open the audit log unless you relax the permissions or run Splunk as root (both STIG-failures).

You can alter this behaviour for Splunk Enterprise (Full install) by editing the splunkd.service file:

  1. Create the override directory (run as root):
    systemctl edit splunkd.service
  2. Add theAmbientCapabilities:
    [Service]
   AmbientCapabilities=CAP_DAC_READ_SEARCH
  3. Reload systemd and restart Splunk:
    systemctl daemon-reload
   systemctl restart splunkd.service

After the restart the running splunkd should have the same capability that the UF has and can read /var/log/audit/audit.log without touching file permissions or adding ACLs.

The override should not be overwritten with Splunk package upgrades, but always verify after an upgrade that its still in place.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...